initial commit

Signed-off-by: kpango <kpango@vdaas.org>

Author: kpango

.claude/settings.local.json

@@ -0,0 +1,21 @@
+{
+  "permissions": {
+    "allow": [
+      "Read(//home/kpango/.claude/**)",
+      "Read(//home/kpango/.config/**)",
+      "Read(//home/kpango/.local/share/**)",
+      "Read(//home/kpango/**)",
+      "Bash(python3 -c \"import json,sys; d=json.load\\(sys.stdin\\); print\\({k: '***' if 'token' in k.lower\\(\\) or 'key' in k.lower\\(\\) or 'secret' in k.lower\\(\\) else v for k,v in d.items\\(\\)}\\)\")",
+      "Bash(nix search *)",
+      "Bash(curl -s \"https://api.github.com/repos/containerd/containerd/releases/latest\")",
+      "Bash(curl -s \"https://api.github.com/repos/slimtoolkit/slim/releases/latest\")",
+      "Bash(curl -sL \"https://github.com/containerd/containerd/releases/download/v2.3.0/containerd-2.3.0-linux-amd64.tar.gz\")",
+      "Bash(tar tzf *)",
+      "Bash(curl -sL \"https://github.com/slimtoolkit/slim/releases/download/1.40.11/dist_linux.tar.gz\")",
+      "Bash(make format/zsh)",
+      "Bash(nix eval *)",
+      "Bash(make perm *)",
+      "Bash(git *)"
+    ]
+  }
+}

.github/actions/docker/action.yaml

@@ -0,0 +1,150 @@
+name: "Docker Action"
+description: "Build or Merge Docker images using the repository's Makefile."
+inputs:
+  operation:
+    description: "The operation to perform (build or merge)"
+    required: true
+  image_name:
+    description: "The image name to build or merge"
+    required: true
+  docker_user:
+    description: "DockerHub username"
+    required: true
+    default: "kpango"
+  docker_pass:
+    description: "DockerHub password"
+    required: true
+  github_token:
+    description: "GitHub Token"
+    required: true
+  docker_push:
+    description: "Whether this is a push build"
+    required: false
+    default: "false"
+  platform:
+    description: "The platform to build"
+    required: false
+  suffix:
+    description: "The suffix for the docker tag"
+    required: false
+  ghcr_user:
+    description: "GHCR username"
+    required: false
+    default: ${{ github.repository_owner }}
+
+runs:
+  using: "composite"
+  steps:
+    - name: Login to DockerHub
+      if: inputs.operation == 'merge' || inputs.docker_push == 'true'
+      uses: docker/login-action@v4
+      with:
+        username: ${{ inputs.docker_user }}
+        password: ${{ inputs.docker_pass }}
+
+    - name: Login to GitHub Container Registry
+      if: inputs.operation == 'merge' || inputs.docker_push == 'true'
+      uses: docker/login-action@v4
+      with:
+        registry: ghcr.io
+        username: ${{ github.actor }}
+        password: ${{ inputs.github_token }}
+
+    - name: Clean up Docker Data
+      if: inputs.operation == 'build'
+      shell: bash
+      run: |
+        docker system prune -a -f --volumes
+        docker buildx prune -a -f
+
+    - name: Create Buildx
+      if: inputs.operation == 'build'
+      shell: bash
+      env:
+        GITHUB_ACCESS_TOKEN: ${{ inputs.github_token }}
+        DOCKER_BUILDER_PLATFORM: ${{ inputs.platform }}
+        IMAGE_NAME: ${{ inputs.image_name }}
+      run: |
+        GC_FLAG="false"
+        CACHE_MODE="max"
+        WORKERS="8"
+
+        # large images: enable GC so BuildKit frees memory during build
+        if [[ "$IMAGE_NAME" == "go" || "$IMAGE_NAME" == "rust" || "$IMAGE_NAME" == "env" || "$IMAGE_NAME" == "nix" || "$IMAGE_NAME" == "tools" || "$IMAGE_NAME" == "vald" ]]; then
+          GC_FLAG="true"
+        fi
+
+        # images with huge intermediate layers: use min cache to avoid OOM on export
+        if [[ "$IMAGE_NAME" == "nix" || "$IMAGE_NAME" == "rust" || "$IMAGE_NAME" == "vald" ]]; then
+          CACHE_MODE="min"
+        fi
+
+        # nix: single bottleneck stage, cmake vald: CPU-bound — cap workers to save memory
+        if [[ "$IMAGE_NAME" == "nix" || "$IMAGE_NAME" == "vald" ]]; then
+          WORKERS="4"
+        fi
+
+        echo "DOCKER_CACHE_MODE=${CACHE_MODE}"           >> "$GITHUB_ENV"
+        echo "DOCKER_BUILDX_WORKERS=${WORKERS}"          >> "$GITHUB_ENV"
+
+        make \
+          DOCKER_BUILDER_PLATFORM="$DOCKER_BUILDER_PLATFORM" \
+          GITHUB_ACCESS_TOKEN="$GITHUB_ACCESS_TOKEN" \
+          DOCKER_BUILDX_GC="$GC_FLAG" \
+          DOCKER_BUILDX_WORKERS="$WORKERS" \
+          docker/builder/create
+
+    - name: Run Makefile target
+      shell: bash
+      env:
+        OPERATION: ${{ inputs.operation }}
+        IMAGE_NAME: ${{ inputs.image_name }}
+        USER_DEFAULT: ${{ inputs.docker_user }}
+        GHCR_USER: ${{ inputs.ghcr_user }}
+        DOCKER_PUSH: ${{ inputs.docker_push }}
+        GITHUB_ACCESS_TOKEN: ${{ inputs.github_token }}
+        DOCKER_BUILDER_PLATFORM: ${{ inputs.platform }}
+        DOCKER_ARCH_SUFFIX: ${{ inputs.suffix }}
+        DOCKER_CACHE_MODE: ${{ env.DOCKER_CACHE_MODE }}
+        EVENT_NAME: ${{ github.event_name }}
+        EVENT_PATH: ${{ github.event_path }}
+        GITHUB_REF_VAR: ${{ github.ref }}
+      run: |
+        VERSION="nightly"
+        EXTRA_OPTS=""
+        TARGET="docker/${OPERATION}/${IMAGE_NAME}"
+
+        if [ "$EVENT_NAME" == "pull_request" ]; then
+          PR_NUM=$(jq -r ".number" "$EVENT_PATH")
+          VERSION="pr-$PR_NUM"
+        elif [[ "$GITHUB_REF_VAR" == refs/tags/* ]]; then
+          VERSION="${GITHUB_REF_VAR#refs/tags/}"
+        fi
+
+        if [ "$EVENT_NAME" == "schedule" ]; then
+          EXTRA_OPTS="--no-cache"
+        fi
+
+        if [ "$OPERATION" == "build" ]; then
+          make \
+            DOCKER_PUSH="$DOCKER_PUSH" \
+            USER="$USER_DEFAULT" \
+            SYS_USER="$USER_DEFAULT" \
+            USER_ID="1000" \
+            GROUP_ID="1000" \
+            GROUP_IDS="1000 98 972 987 994 996 998 1001 1002 1003 1004 1005" \
+            GHCR_USER="$GHCR_USER" \
+            VERSION="$VERSION" \
+            GITHUB_ACCESS_TOKEN="$GITHUB_ACCESS_TOKEN" \
+            DOCKER_BUILDER_PLATFORM="$DOCKER_BUILDER_PLATFORM" \
+            DOCKER_ARCH_SUFFIX="$DOCKER_ARCH_SUFFIX" \
+            DOCKER_CACHE_MODE="${DOCKER_CACHE_MODE:-max}" \
+            DOCKER_EXTRA_OPTS="$EXTRA_OPTS" \
+            "$TARGET"
+        else
+          make \
+            USER="$USER_DEFAULT" \
+            GHCR_USER="$GHCR_USER" \
+            VERSION="$VERSION" \
+            "$TARGET"
+        fi

.github/dependabot.yaml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: "github-actions"
+    directory: "/"
+    schedule:
+      interval: "daily"

.github/workflows/docker-matrix.yaml

@@ -0,0 +1,67 @@
+name: "Build docker images"
+on:
+  push:
+    branches:
+      - main
+    tags:
+      - "*.*.*"
+      - "v*.*.*"
+      - "*.*.*-*"
+      - "v*.*.*-*"
+    paths:
+      - "dockers/**"
+      - "Makefile"
+      - ".github/workflows/**"
+  pull_request:
+    paths:
+      - "dockers/**"
+      - "Makefile"
+      - ".github/workflows/**"
+  workflow_dispatch:
+  schedule:
+    - cron: "0 23 * * *"
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  base:
+    uses: ./.github/workflows/docker-reusable.yaml
+    with:
+      image_name: base
+    secrets: inherit
+
+  images:
+    needs: base
+    strategy:
+      fail-fast: false
+      matrix:
+        image: [dart, docker, env, gcloud, go, k8s, nim, nix, rust, vald, zig]
+    uses: ./.github/workflows/docker-reusable.yaml
+    with:
+      image_name: ${{ matrix.image }}
+    secrets: inherit
+
+  tools:
+    needs: [base, images]
+    if: |
+      always() &&
+      needs.base.result == 'success' &&
+      !cancelled()
+    uses: ./.github/workflows/docker-reusable.yaml
+    with:
+      image_name: tools
+    secrets: inherit
+
+  dev:
+    needs: [base, images, tools]
+    if: |
+      always() &&
+      needs.base.result == 'success' &&
+      needs.tools.result == 'success' &&
+      !cancelled()
+    uses: ./.github/workflows/docker-reusable.yaml
+    with:
+      image_name: dev
+    secrets: inherit

.github/workflows/docker-reusable.yaml

@@ -0,0 +1,71 @@
+name: "Reusable Docker Build & Merge"
+on:
+  workflow_call:
+    inputs:
+      image_name:
+        required: true
+        type: string
+
+jobs:
+  build:
+    timeout-minutes: 90
+    strategy:
+      fail-fast: false
+      matrix:
+        arch:
+          - platform: linux/amd64
+            runner: ubuntu-latest
+            suffix: amd64
+          - platform: linux/arm64/v8
+            runner: ubuntu-24.04-arm
+            suffix: arm64
+    runs-on: ${{ matrix.arch.runner }}
+    environment: copilot
+    steps:
+      - name: Free Disk Space (Ubuntu)
+        if: ${{ inputs.image_name == 'go' || inputs.image_name == 'rust' || inputs.image_name == 'env' || inputs.image_name == 'nix' || inputs.image_name == 'tools' || inputs.image_name == 'vald' }}
+        uses: endersonmenezes/free-disk-space@v3
+        with:
+          remove_android: true
+          remove_dotnet: true
+          remove_haskell: true
+          remove_tool_cache: true
+          remove_swap: true
+          remove_packages: "azure-cli google-cloud-cli microsoft-edge-stable google-chrome-stable firefox postgresql* temurin-* *llvm* mysql* dotnet-sdk-*"
+          remove_packages_one_command: true
+          remove_folders: "/usr/share/swift /usr/share/miniconda /usr/share/az* /usr/local/lib/node_modules /usr/local/share/chromium /usr/local/share/powershell /usr/local/julia /usr/local/aws-cli /usr/local/aws-sam-cli /usr/share/gradle"
+          rm_cmd: "rmz"
+
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+
+      - name: Build and Push Docker Image
+        uses: ./.github/actions/docker
+        with:
+          operation: build
+          image_name: ${{ inputs.image_name }}
+          docker_user: ${{ secrets.DOCKERHUB_USER || 'kpango' }}
+          docker_pass: ${{ secrets.DOCKERHUB_PASS }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          docker_push: true
+          platform: ${{ matrix.arch.platform }}
+          suffix: ${{ matrix.arch.suffix }}
+
+  merge:
+    needs: build
+    runs-on: ubuntu-latest
+    environment: copilot
+    steps:
+      - uses: actions/checkout@v6
+        with:
+          fetch-depth: 1
+
+      - name: Merge and Push Manifest
+        uses: ./.github/actions/docker
+        with:
+          operation: merge
+          image_name: ${{ inputs.image_name }}
+          docker_user: ${{ secrets.DOCKERHUB_USER || 'kpango' }}
+          docker_pass: ${{ secrets.DOCKERHUB_PASS }}
+          github_token: ${{ secrets.GITHUB_TOKEN }}